On 18 October 2017, the European Commission (EC) announced an upcoming anti-terrorism package, which addresses, inter alia, encryption challenges in criminal investigations. From the Q&A:

[…]

4. Supporting law enforcement in criminal investigations online

What is the role of encryption in criminal investigations?

Law enforcement and judicial authorities are increasingly facing challenges posed by the use of encryption by criminals in the context of criminal investigations. This is not only limited to serious crimes: in many cases, electronic data may be the only information and evidence available to prosecute and convict criminals. The challenges are not only due to attempts by criminal users to disguise their electronic communication and privately stored data, but also due to the default option of many communication services to apply encryption. The use of encryption by criminals, and therefore its impact on criminal investigations, is expected to continue to grow in the coming years.

How is the Commission proposing to support Member States on encryption?

Following consultation with Member States and stakeholders, the Commission has proposed today:

to support Europol to further develop its decryption capability;

to establish a network of centres of encryption expertise;

to create a toolbox for legal and technical instruments;

to provide training for law enforcement authorities, supported by €500,000 from the ISF–Police fund in 2018;

to establish an observatory for legal and technical developments;

to establish a structured dialogue with industry and civil society organisations.

In early 2018, the Commission will present proposals to provide for a legal framework to facilitate access to electronic evidence.

[…]

It is unclear what this might mean in practice, but Rebecca Hill (Twitter: @BekiHill) reported at El Reg that security commissioner Julian King (Twitter: @JKingEU) said the following:

“The commission’s position is very clear – we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon.”

Hill (correctly) states:

“How exactly… we don’t know. Maybe someone has an RSA-cracking supercomputer up their sleeve they’re keeping secret. Maybe someone’s particularly good with a soldering iron and can read off keys from extracted flash memory chips.

What we do know is that the thrust of the plan boils down to asking member states to help each other by sharing their knowledge on dealing with encryption and creating a observatory to keep an eye on the latest tricks of the trade.”

On 16 October 2017, two days before the announcement by the EC, Maryant Fernández Pérez (Twitter: @maryantfp) stated the following in a blog post at EDRi:

“Saying ‘no’ to backdoors is a step into the right direction, but not the end of the debate, as there are still many ways to weaken encryption. The answer to security problems like those created by terrorism cannot be the creation of security risks. On the contrary, the EU should focus on stimulating the development and the use of high-grade standards for encryption, and not in any way undermine the development, production or use of high-grade encryption.

We are concerned by the potential inclusion of certain aspects of the Communication, such as the increase of capabilities of Europol and what this may entail, and references to removal of allegedly “terrorist” content without accountability in line with the Commission’s recent Communication on tackling illegal content online. We remain vigilant regarding the developments in the field of counter-terrorism.”

The EC statement that it does not seek backdoors should not be interpreted as meaning that Member States’ intelligence services / communities won’t, individually or in voluntary cooperation with peers or industry, pursue influencing crypto standards for kleptographic objectives (such as NSA did with Dual_EC_DRBG) regardless of EU-level policy. It simply means that the EC does not pursue EU-level policy on that — at this time, anyway.

Cryptanalytic efforts, such as the Edgehill (GCHQ) program, will obviously remain in existence in individual Member States, as they do elsewhere in the world (notably in the U.S.) — and the EC announcement’s Q&A excerpt cited above states the EC will seek to support Europol to further develop its decryption capability.

The EC’s announcement also says they will promote “structured dialogue with industry and civil society organisations”, with unstated objectives. To speculate: objectives might include convincing those engaged in dialogue that strong end-to-end crypto should not be enabled by default, and/or making sure certain information other than message content is still emitted and observable, and/or or otherwise changing software/hardware/protocol design or implementation to suit LE/intel needs. Which includes needs that must, in addition to privacy interests, also be addressed to maintain democratic values. [UPDATE 2017-12-14: something along those lines seems to be happening in the U.S., going by the following statement by FBI director Christopher Wray cited by @emptywheel : “[…] The FBI is actively engaged with relevant stakeholders, including companies providing technological services, to educate them on the corrosive effects of the Going Dark challenge on both public safety and the rule of law, and with the academic community and technologists to work on technical solutions to this problem”.]

To be continued.

Related reading:

2018-01-09: FBI chief calls unbreakable encryption ‘urgent public safety issue’ (Reuters). Snippet: “[…] The Federal Bureau of Investigation was unable to access data from nearly 7,800 devices in the fiscal year that ended Sept. 30 with technical tools despite possessing proper legal authority to pry them open, a growing figure that impacts every area of the agency’s work, [FBI director Christopher Wray] said during a speech at a cyber security conference in New York. […]”.

On 4 October 2017 a job advertisement appeared in NRC Handelsblad for a chair person & members of the “Toetsingcommissie Inzet Bevoegdheden” (TIB), the additional oversight committee established per the new Dutch spy law (Wiv20xx) that will perform binding ex-ante oversight on exercise of powers. PrivacyNieuws.nl (@PrivacyNleuws) published a picture (.gif) of the ad, which OCR’s back to the following text (in Dutch; OCR errors corrected):

UPDATE 2017-10-25:answers (.pdf, in Dutch; mirror) to parliamentary questions on this matter.

NOS reports (in Dutch) on an interview by ANP where the chief of the Dutch Military Intelligence & Security Service (MIVD) warns companies and (knowledge) institutes to be aware of attempts by foreign nations including North Korea, Iran, Pakistan and Syria to acquire materials and knowledge in the Netherlands. Here is my translation of the NOS report:

The Dutch intelligence & security services annually thwarts “a substantial number of attempts” by foreign countries to acquire knowledge and materials for WMDs. That is what Onno Eichelsheim, chief of the Military Intelligence & Security Service (MIVD), states in an interview with the ANP.

Eichelsheim won’t say how frequently it happens. The reason for that is that he does not want to reveal the capabilities of the department that exclusively deals with that. The MIVD chief only notes that the Unit Counterproliferation employs dozens of personnel, and informs the ministry of defense dozens of times annually, for instance with regard to export licenses.

Eichelsheim states that companies and knowledge institutes are little aware that countries such as North Korea, Iran, Pakistan and Syria attempt to acquire knowledge in the Netherlands. The Netherlands is a technologically high-developed country, which those countries are eager to use.

Smaller companies who make products such as ball bearings or heat-resistant materials must also be alert, Eichelsheim says.

Countries that are seeking high-grade materials always use covers, such as a company or a middle person. Eichelsheim says it is certainly suspicious if a customer is willing to pay a high price for materials or chemicals that can be purchased elsewhere for a fraction of the price. Companies and institutes must be aware that their products can be used in the development of WMDs.

On 15 September 2017, Equifax stated their compromise happened through exploitation of a vulnerability in Apache Struts CVE-2017-5638 — published March 2017 when used in the wild — that involves a crafted Content-Type HTTP request header. For those interested, here are log rules of 28 (untargeted) requests that attempted to exploit this vulnerability on my own blog (which does not run Apache Struts) between 10 March 2017 and 14 September 2017.

The lines are quite long; scroll to right in the grey dialog below. Each line contains a single “#cmd=” that defines a command and a single “#cmds=” (I highlighted those parts in bold below) that feeds the command to cmd.exe on Windows systems and /bin/bash on non-Windows systems. 12 of 28 cases attempt to download & run code; the remaining 16 cases only execute echo “Struts2045” or echo “Amen4Wolves” and seem to be probes for vulnerability. In (only) one case the payload could still be accessed: hxxp://82.165.129.119/UnInstall.exe, which contains Cerber ransomware. So, this was an attempt to distribute ransomware by exploiting CVE-2017-5638; the source was 220.191.231.222, registered to ‘Jinhua Electronic Government Network’.

Posts navigation

Employed as technical security consultant at Secura B.V. (formerly known as Madison Gurkha). Guest researcher at University of Amsterdam. MSc in OS3 System & Network Engineering (2005-2006) and PhD in data anonymity (2007-2011) from University of Amsterdam.

Many posts on this blog are scraps of information, published for posterity and reference. Posts prior to Q2/2012 were submitted while I was employed at the University of Amsterdam.